Managed Services
Your AWS correlation layer, managed.
Ghost Vector operates Ira continuously across your five AWS control layers — watching for gap alignment, tuning thresholds, and escalating to your team when signals converge into a threat worth acting on. Not raw alerts. Validated gap alignment reports, ranked and ready for your decision.
The Case for Managed
Defence in depth only works if someone is maintaining the layers.
The Swiss cheese model doesn’t just describe your controls — it describes your team. Every control layer Ira watches needs continuous tuning: drift baselines shift as your environment changes, detection thresholds need calibrating as new services deploy, correlation logic needs updating as AWS threat patterns evolve. That maintenance work doesn’t stop. Most security teams don’t have the headcount to do it without letting something else slip.
Ghost Vector’s managed service closes that gap. Our analysts operate Ira continuously — maintaining baselines, tuning signal thresholds, reviewing drift classifications, and triaging every correlation before it reaches your team. What you receive: validated gap alignment reports with ranked containment options. What your team does: approve the response. Nothing else upstream.
Service Offerings
Match the correlation coverage your environment needs.
Managed Gap Correlation
24/7 correlation across all five AWS control layers — every gap alignment triaged, every false positive filtered, every real alignment escalated to your team with full context and ranked containment options. SLA: critical gap alignments escalated within 15 minutes of detection.
Includes:
- Continuous correlation across CloudTrail, VPC Flow, S3, GuardDuty, and Config
- Analyst-validated triage — no raw alert forwarding. Ever.
- Critical alignment escalation within 15 minutes, with full signal chain
- Ranked containment recommendations ready for your approval
- Monthly posture reports: which layers have been most active, which gaps are widening, drift trends
Proactive Layer Testing
Your layers each have documented gaps. Proactive layer testing is the discipline of actively testing whether those gaps are being exploited before Ira’s automated correlation detects them. Ghost Vector analysts run targeted queries across your AWS control layers — looking for patterns that automated correlation alone won’t surface.
Includes:
- Quarterly threat hunt cycles (or on-demand)
- Hunt hypotheses informed by current AWS threat intelligence
- Full written report per engagement with findings and recommendations
- Identified gaps fed back into detection tuning
Layer Integration & Baseline
White-glove integration of Ira into your AWS environment. We deploy, configure each control layer integration, establish your baseline, and tune initial thresholds so Ira’s correlation reflects your environment — not a generic template. Operational in 3–5 days.
Includes:
- Terraform deployment into your AWS account
- Integration with CloudTrail, VPC Flow Logs, S3, GuardDuty, Config
- IAM role provisioning with least-privilege scoping
- Initial baseline tuning to reduce noise from day one
- Knowledge transfer session with your security team
Engagement Model
What the engagement looks like
-
Scoping & deployment
We assess your AWS environment, identify telemetry sources, and deploy Ira via Terraform into your account. Typical deployment: 2–5 business days.
-
Baseline & tuning
Ira runs in observation mode while we establish your environment’s baseline. We tune thresholds, suppress known-good patterns, and validate detection coverage. Duration depends on environment complexity.
-
Operational handover
Ghost Vector begins active monitoring. Findings are triaged by our analysts before anything reaches your team. You receive validated incidents with full context, not raw alerts.
-
Ongoing operation
Continuous monitoring, periodic threat hunts, monthly posture reports. Detection logic is updated as AWS threat patterns evolve. Your team approves containment actions — we handle everything else.
Your Environment, Your Control
What stays the same
Approval authority
Every containment recommendation still requires your explicit approval. Ghost Vector analysts triage and investigate. Your team makes the call.
Full audit trail
All analysis logs, findings, scores, and recommendations remain in your AWS account. The same auditability guarantees apply whether you operate Ira or we do.
Single-tenant deployment
Ira runs in your account. There is no shared infrastructure, no co-mingled data, no multi-tenant backend. The managed service changes who operates the system, not where it runs.
Transparency
You have read access to every dashboard, every finding, every detection rule. We do not gate visibility behind service tiers. If Ira can see it, you can see it.